In earlier posts, we covered how active adversaries’ attack tactics have evolved and shared specific response tactics to defend against them. This post will discuss the need for dynamic defenses and how to gain the insights necessary to change security policies as active adversaries persist in their attacks.
This is vital because as attackers become more agile and adjust their tactics, enterprises need defenses that also actively adapt. This requires a governance policy that constantly re-evaluates risk and security processes that can adapt to changing threat contexts and attack techniques. That calls for threat intelligence that keeps up with a changing threat landscape and uses that insight to adapt.
Threat intelligence is critical to keeping security defenses dynamic, providing context and actionable insights to help organizations proactively identify, prevent, and respond to cyber-attacks. The vital thing is to attain threat intelligence proactively and put that intelligence to use within the organization.
Generally, such threat intelligence is collected from various sources, including security logs, open-source intelligence, and threat intelligence feeds. Then, this data is used to identify patterns, indicators of compromise, and tactics, techniques, and procedures used by threat actors.
"By acting proactively—including updating defense mechanisms or developing security policies and processes—organizations can stay 'left of boom' in avoiding the impact of a particular attack or otherwise minimizing its effect. Threat intelligence is the compass that guides cybersecurity efforts, allowing for more informed decision-making and a more robust security posture in an ever-evolving threat landscape," says Bryon Hundley, vice president of intelligence operations at the Retail and Hospitalist Information Security and Analysis Center.
"In an era characterized by sophisticated and rapidly evolving cyber threats, the ability to gather, analyze, and act on timely and actionable intelligence sets apart reactive security postures from proactive ones," Hundley says, adding that threat intelligence also must involve a deep understanding of the environment being protected. "This insight is important because it enables organizations to anticipate potential threats and tailor their defenses accordingly to ensure that protective measures are both relevant and robust," he says.
To effectively gain the insights necessary to change security policies as threats evolve proactively, organizations should consider the following steps:
If the organization doesn't have a threat intelligence program, create one. If you don't have the staff to dedicate to threat intelligence gathering and analysis, consider outsourcing to gain those capabilities. By collecting, analyzing, and sharing curated intelligence with the right teams throughout the organization, one's security posture can adapt to the threat landscape.
Harness quality, pertinent threat intelligence sources. These include open-source intelligence, such as the open, deep, and dark web. Other sources should include intelligence feeds from industry groups, government agencies, and threat intelligence vendors.
The magic happens in intelligence analysis. Once your threat intelligence is collected, cleaned, and vetted for context and prioritized. Many factors go into this mix, including its relevance to the organization (such as industry tech stack specifics), its timeliness, as well as its accuracy and source credibility. By keeping current, your security posture can adapt as threats evolve.
Keep security policies and defenses up to date. As threat intelligence analysis warrants, update security policies and defensive controls better to defend your organization against the most pressing threats. Updating web applications and network firewalls, intrusion detection/prevention system rules, and incident response playbooks are vital things to consider.
Finally, to meet today's fast-changing threats, it's also crucial to have network and endpoint security toolsets that can adapt as needed. Here's what to look for:
Security defenses that disrupt and delay attackers: When signs of a device being compromised are identified, modern security defenses should place the at-risk device into a temporary, more aggressive security mode and block activities associated with attack techniques, such as attempted running of remote admin tools, launching untrusted executables, rebooting the machine into Safe Mode, among more.
Creates additional response time: Active adversaries execute "fast" ransomware attacks in hours, making quick detection and response crucial. Adaptive protection should provide defenders additional time to investigate and respond to underway attacks. By disrupting the attack chain this way, defenders have time to ensure the adversary fails in their objectives.
Automatically raises defenses: When defenses are increased when an attack is detected, users are protected with heightened defenses when needed.
Active adversaries are infiltrating organizations of all sizes, often evading detection by turning off security protections and abusing legitimate IT tools. While the most common initial entry vectors exploited unpatched vulnerabilities and compromised credentials, active adversaries also craft custom malware, deliberately striking during off-hours and blending into the victim's environment.
To enhance resilience, organizations must adapt to them, implementing effective tactics against specific attacks and ensuring they operate with an adaptable set of security policies and governance efforts informed by timely and accurate threat intelligence.